TU Darmstadt / ULB / TUbiblio

Evaluating Detection Error Trade-offs for Bytewise Approximate Matching Algorithms

Breitinger, Frank and Stivaktakis, Georgios and Roussev, Vassil :
Evaluating Detection Error Trade-offs for Bytewise Approximate Matching Algorithms.
In: 5th International ICST Conference on Digital Forensics & Cyber Crime (ICDF2C)
[Article] , (2013)

Abstract

Bytewise approximate matching is a relatively new area within digital forensics, but its importance is growing quickly as practitioners are looking for fast methods to analyze the increasing amounts of data in forensic investigations. The essential idea is to complement the use of cryptographic hash functions to detect data objects with bytewise identical representation with the capability to find objects with bytewise similar representations. Unlike cryptographic hash functions, which have been studied and tested for a long time, approximate matching ones are still in their early development stages, and have been evaluated in a somewhat ad-hoc manner. Recently, the FRASH testing framework has been proposed as a vehi- cle for developing a set of standardized tests for approximate matching algorithms; the aim is to provide a useful guide for understanding and comparing the absolute and relative performance of different algorithms. The contribution of this work is twofold: a) expand FRASH with auto- mated tests for quantifying approximate matching algorithm behavior with respect to precision and recall; and b) present a case study of two algorithms already in use–sdhash and ssdeep.

Item Type: Article
Erschienen: 2013
Creators: Breitinger, Frank and Stivaktakis, Georgios and Roussev, Vassil
Title: Evaluating Detection Error Trade-offs for Bytewise Approximate Matching Algorithms
Language: ["languages_typename_1" not defined]
Abstract:

Bytewise approximate matching is a relatively new area within digital forensics, but its importance is growing quickly as practitioners are looking for fast methods to analyze the increasing amounts of data in forensic investigations. The essential idea is to complement the use of cryptographic hash functions to detect data objects with bytewise identical representation with the capability to find objects with bytewise similar representations. Unlike cryptographic hash functions, which have been studied and tested for a long time, approximate matching ones are still in their early development stages, and have been evaluated in a somewhat ad-hoc manner. Recently, the FRASH testing framework has been proposed as a vehi- cle for developing a set of standardized tests for approximate matching algorithms; the aim is to provide a useful guide for understanding and comparing the absolute and relative performance of different algorithms. The contribution of this work is twofold: a) expand FRASH with auto- mated tests for quantifying approximate matching algorithm behavior with respect to precision and recall; and b) present a case study of two algorithms already in use–sdhash and ssdeep.

Journal or Publication Title: 5th International ICST Conference on Digital Forensics & Cyber Crime (ICDF2C)
Uncontrolled Keywords: Secure Data
Divisions: LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
LOEWE > LOEWE-Zentren
LOEWE
Event Location: Moscow
Date Deposited: 30 Dec 2016 20:23
Identification Number: TUD-CS-2013-0297
Export:

Optionen (nur für Redakteure)

View Item View Item